10 Myths and Facts about HIPAA and Meaningful Security Risk Analysis

MythFactConducting  a security risk analysis to meet the standards of Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule is included in the meaningful use requirements of the Medicare and Medicaid EHR Incentive Programs. The following areas addresses some of the common myths about conducting a risk analysis, and provides facts and tips that can help you structure your risk analysis process.

 

Myth 1: The security risk analysis is optional for small providers

Fact: False. All providers who are “covered entities” under HIPAA are required to perform a risk analysis. In addition, all providers who want to receive EHR incentive payments must conduct a risk analysis.

Myth 2:  Simply installing a certified EHR fulfills the security risk analysis MU requirement

Fact: 

False. Even with a certified EHR, you must perform a full security risk analysis. Security requirements address all electronic protected health information you maintain, not just what is in your EHR.

Myth 3: My EHR vendor took care of everything I need to do about privacy and security

Fact:  False. Your EHR vendor may be able to provide information, assistance, and training on the privacy and security aspects of the EHR product. However, EHR vendors are not responsible for making their products compliant with HIPAA Privacy and Security Rules. It is solely your responsibility to have a complete risk analysis conducted.

Myth 4:  I have to outsource the security risk analysis

Fact: False. It is possible for small practices to do risk analysis themselves using self-help tools. However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.

Myth 5:  A checklist will suffice for the risk analysis requirement

Fact: False. Checklists can be useful tools, especially when starting a risk analysis, but they fall short of performing a systematic security risk analysis or documenting that one has been performed.

Myth 6:  There is a specific risk analysis method that I must follow

Fact:  False. A risk analysis can be performed in countless ways. OCR has issued Guidance on Risk Analysis Requirements of the Security Rule. This guidance assists organizations in identifying and implementing the most effective and appropriate safeguards to secure e-PHI.

Myth 7:  My security risk analysis only needs to look at my EHR

Fact:  False. Review all electronic devices that store, capture, or modify electronic protected health information. Include your EHR hardware and software and devices that can access your EHR data (e.g., your tablet computer, your practice manager’s mobile phone). Remember that copiers also store data.  Please see U.S. Department of Health and Human Services (HHS) guidance on remote use.

Myth 8:  I only need to do a risk analysis once

Fact:  False. To comply with HIPAA, you must continue to review, correct or modify, and update security protections.

Myth 9:  Before I attest for an EHR incentive program, I must fully mitigate all risks

Fact: False. The EHR incentive program requires correcting any deficiencies (identified during the risk analysis) according to the timeline established in the provider’s risk management process, not the date the provider chooses to submit meaningful use attestation. The timeline needs to meet the requirements under 45 CFR 164.308(a)(1), including the requirement to “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with [45 CFR ]§164.306(a).”

Myth 10:  Each year, I’ll have to completely redo my security risk analysis

Fact:  False. Perform the full security risk analysis as you adopt an EHR. Each year or when changes to your practice or electronic systems occur, review and update the prior analysis for changes in risks. Under meaningful use, reviews are required for each EHR reporting period. For EPs, the EHR reporting period will be 90 days or a full calendar year, depending on the EP’s year of  participation in the program.

Source: CMS

 

Share this in :
  •  
  •  
  •  
  •  
The following two tabs change content below.
Our mission is to assist healthcare organizations and business associates in the development, design, and implementation of practices to secure IT systems and comply with HIPAA/HITECH privacy, security, breach and enforcement rules by protecting patient health information.

Subscribe for Updates

Upcoming Events

  1. Managing the Risks of a Healthcare Data Breach

    April 6 @ 12:00 pm - 1:30 pm